Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip

Zip archive data, at least v2.0 to extract, compression method=deflate

initial sample

Details

Filetype:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy:	7.999663355054797
Filename:	MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip
Filesize:	456847
MD5:	44207dd804203cbc449240dd87f2e2d9
SHA1:	c7195dbaa25888084759ee80fb2ff212aaf88003
SHA256:	c3eb3f37858a3fe26eab5777a5e2c439d208b0f2fb8a49e8ca44e20d946b6d7d
SHA512:	c4004e5dcb913cfdf10b8ceb7a8cc9f6005d3872927185b01552f69b2e0441ccd604cd4fb908ac6d4fb2a1e8c1f910ac44286d3727d305cb03404f5fcdf44ba9
SSDEEP:	12288:EWcNtUNO3J3ps24jeUfZQ6Vq89JdcJcdvVcD/D:hcNtUcZF4jeUfZHVqDJcJV0r
Preview:	PK........Py/Z..Z.C...HR..Q.$.Defender detected 'Virus:Win32/virut' in file 'Setup.exe' during a scheduled scan.. ............._g......_g......_g..\|..,...g...)......^...;....Q..........]....Bl.....^...5U....Y.K...........H}.d.........C......9....t.-B..G?.

C:\Users\user\Downloads\1vSHfzz0.exe'%20during%20a%20scheduled%20scan.part

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\1vSHfzz0.exe'%20during%20a%20scheduled%20scan.part
Category:	dropped
Dump:	1vSHfzz0.exe'%20during%20a%20scheduled%20scan.part.18.dr
ID:	dr_0
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.6536235962267956
Encrypted:	false
Size:	545352
Whitelisted:	false

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for dropped file	AV Detection	Security Software Discovery
Drops PE files	Persistence and Installation Behavior
Drops files with a non-matching file extension (content does not match file extension)	Persistence and Installation Behavior	Masquerading

C:\Users\user\Downloads\virut' in file 'Setup.exe' during a scheduled scan (copy)

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\Downloads\virut' in file 'Setup.exe' during a scheduled scan (copy)
Category:	dropped
Dump:	1vSHfzz0.exe'%20during%20a%20scheduled%20scan.part.18.dr
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]

dropped

Details

File:	C:\Users\user\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41
Category:	dropped
Dump:	mozilla-temp-41.18.dr
ID:	dr_3
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	ISO Media, MP4 Base Media v1 [ISO 14496-12:2003]
Entropy:	0.4593089050301797
Encrypted:	false
Size:	32768
Whitelisted:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js

ASCII text, with very long lines (1717), with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs-1.js
Category:	dropped
Dump:	prefs-1.js1.18.dr
ID:	dr_5
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Entropy:	5.5248528252259845
Encrypted:	false
Size:	9993
Whitelisted:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)

ASCII text, with very long lines (1717), with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\prefs.js (copy)
Category:	dropped
Dump:	prefs-1.js.18.dr
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	ASCII text, with very long lines (1717), with CRLF line terminators
Entropy:	0.0
Encrypted:	false
Size:	0
Whitelisted:	false

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json (copy)

JSON data

dropped

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp

JSON data

dropped

Details

File:	C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\sp4c0p22.default-release\sessionCheckpoints.json.tmp
Category:	dropped
Dump:	sessionCheckpoints.json.tmp.18.dr
ID:	dr_2
Target ID:	18
Process:	C:\Program Files\Mozilla Firefox\firefox.exe
Type:	JSON data
Entropy:	4.194538242412464
Encrypted:	false
Size:	90
Whitelisted:	false

URLs

Name

Malicious

http://detectportal.firefox.com/canonical.html

34.107.221.82

http://detectportal.firefox.com/success.txt?ipv4

34.107.221.82

Domains

Name

Malicious

example.org

23.215.0.132

prod.classify-client.prod.webservices.mozgcp.net

35.190.72.216

prod.balrog.prod.cloudops.mozgcp.net

35.244.181.201

prod.detectportal.prod.cloudops.mozgcp.net

34.107.221.82

ipv4only.arpa

192.0.0.171

prod.ads.prod.webservices.mozgcp.net

34.117.188.166

push.services.mozilla.com

34.107.243.93

prod.remote-settings.prod.webservices.mozgcp.net

34.149.100.209

contile.services.mozilla.com

34.117.188.166

prod.content-signature-chains.prod.webservices.mozgcp.net

34.160.144.191

spocs.getpocket.com

unknown

detectportal.firefox.com

unknown

content-signature-2.cdn.mozilla.net

unknown

firefox.settings.services.mozilla.com

unknown

shavar.services.mozilla.com

unknown

There are 5 hidden domains, click here to show them.

IPs

Domain

Country

Malicious

35.244.181.201

prod.balrog.prod.cloudops.mozgcp.net

United States

Details

IP:	35.244.181.201
TargetID:	18
Current Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Country:	United States
Countrycode:	USA
ASN number:	15169
ASN name:	GOOGLEUS
Private:	false
Domain:	prod.balrog.prod.cloudops.mozgcp.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

34.117.188.166

prod.ads.prod.webservices.mozgcp.net

United States

44.242.27.200

unknown

United States

35.190.72.216

prod.classify-client.prod.webservices.mozgcp.net

United States

34.160.144.191

prod.content-signature-chains.prod.webservices.mozgcp.net

United States

Details

IP:	34.160.144.191
TargetID:	18
Current Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Country:	United States
Countrycode:	USA
ASN number:	2686
ASN name:	ATGS-MMD-ASUS
Private:	false
Domain:	prod.content-signature-chains.prod.webservices.mozgcp.net

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

127.0.0.1

unknown

34.107.221.82

prod.detectportal.prod.cloudops.mozgcp.net

United States

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip

Files

URLs

Domains

IPs

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportMDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip

Files

URLs

Domains

IPs

IOC Report
MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5 (2).zip